From owner-freebsd-net@FreeBSD.ORG Tue Oct 25 07:28:38 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D9F016A41F for ; Tue, 25 Oct 2005 07:28:38 +0000 (GMT) (envelope-from silby@silby.com) Received: from relay01.pair.com (relay01.pair.com [209.68.5.15]) by mx1.FreeBSD.org (Postfix) with SMTP id 8118043D49 for ; Tue, 25 Oct 2005 07:28:37 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 55692 invoked from network); 25 Oct 2005 07:28:35 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 25 Oct 2005 07:28:35 -0000 X-pair-Authenticated: 209.68.2.70 Date: Tue, 25 Oct 2005 02:28:33 -0500 (CDT) From: Mike Silbersack To: Anton Bester In-Reply-To: <200510181954020250.00A66152@196.25.53.68> Message-ID: <20051025022412.X911@odysseus.silby.com> References: <200510181954020250.00A66152@196.25.53.68> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: Bind 8 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 07:28:38 -0000 On Tue, 18 Oct 2005, Anton Bester wrote: > Hi All, > > I do not know if this is the correct forum for this questions, if not please point me in the right direction. > > My secondary DNS server all of a sudden started to chop up about 100% of > my server's cpu, I'm running a FreeBSD 5.1-RELEASE server with Bind 8. > It was doning fine until I noticed that the sever's cpu running near > 100%, it turned out to be bind. > > When I restart bind it takes a couple of minutes but then it is back at > 70% - 100% with a lot of traffic being send to my primary DNS server, I > have noticed the following error in the Primary DNS log file: > > Oct 18 12:24:01 ns /kernel: Limiting icmp unreach response from 315 to 200 packets per second > Oct 18 12:24:02 ns /kernel: Limiting icmp unreach response from 259 to 200 packets per second > Oct 18 12:24:03 ns /kernel: Limiting icmp unreach response from 223 to 200 packets per second The problems may or may not be related, a good tcpdump will be required to figure it out. Those messages appear when incoming UDP packets are destined to a port that isn't listening for responses. DNS can cause that in two ways that I can think of off the top of my head: 1. A client program makes a DNS request to DNS server. The DNS server takes a long time responding, and in the meantime the client gives up and stops listening for a response. The DNS server finally returns a response, but since the client is no longer listening, the kernel has to return an icmp unreach response. 2. Similar case - you restart DNS server A, which had a bunch of queries in to DNS server B. DNS server A is restarted, and listens for query responses on a different port than it did before. DNS B responds with all the delayed DNS responses, and the kernel has to bounce all 315 per second of them. So, BIND is the real problem here, those messages are just telling you that the kernel is limiting the number of "icmp unreach" messages to packets who have no real destination anymore. This is mostly to save bandwidth during DoS attacks. Mike "Silby" Silbersack